Craig Young, a researcher with security firm Tripwire, said he
discovered an authentication weakness that leaks incredibly
accurate location information about users of both the smart
speaker and home assistant Google Home, and Chromecast, a small
electronic device that makes it simple to stream TV shows, movies
and games to a digital television or monitor.

Young said the attack works by asking the Google device for a list
of nearby wireless networks and then sending that list to Google’s
geolocation lookup services.

“An attacker can be completely remote as long as they can get the
victim to open a link while connected to the same Wi-Fi or wired
network as a Google Chromecast or Home device,” Young told
KrebsOnSecurity. “The only real limitation is that the link needs
to remain open for about a minute before the attacker has a
location. The attack content could be contained within malicious
advertisements or even a tweet.”

Young is getting location data accurate to within 10 meters from his exploit. All you have to do to be exposed is open a web page and leave it open for a minute. This is the common sense fear of this whole Internet of Things movement: that these devices we’re putting on our networks aren’t secure, even the ones from big companies like Google.

(I would also argue that it’s wrong that JavaScript running on a web page is able to ping devices on your local network without any sort of prompt granting it such access.)